You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Rajeshbabu Chintaguntla (JIRA)" <ji...@apache.org> on 2018/05/31 11:15:00 UTC

[jira] [Commented] (PHOENIX-4528) PhoenixAccessController checks permissions only at table level when creating views

    [ https://issues.apache.org/jira/browse/PHOENIX-4528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16496398#comment-16496398 ] 

Rajeshbabu Chintaguntla commented on PHOENIX-4528:
--------------------------------------------------

The v2 patch works fine after fixing HBase issue HBASE-20635.Basically in 1.x branches from connection we can get rpc controller using that we can prepare user permissions from proto response. But in 5.x connection is returning shaded RpcController from that we cannot prepare UserPermissions. So HBASE-20635 need to be committed before this to committed,

> PhoenixAccessController checks permissions only at table level when creating views
> ----------------------------------------------------------------------------------
>
>                 Key: PHOENIX-4528
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4528
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Karan Mehta
>            Assignee: Karan Mehta
>            Priority: Major
>             Fix For: 4.14.0, 5.0.0
>
>         Attachments: PHOENIX-4528.001.patch, PHOENIX-4528.master.001.patch, PHOENIX-4528.repro-test.diff, PHOENIX-4528_5.x-HBase-2.0.patch, PHOENIX-4528_5.x-HBase-2.0_v2.patch
>
>
> The {{PhoenixAccessController#preCreateTable()}} method is invoked everytime a user wants to create a view on a base table. The {{requireAccess()}} method takes in tableName as the parameter and checks for user permissions only at that table level. The correct approach is to also check permissions at namespace level, since it is at a larger scope than per table level.
> For example, if the table name is {{TEST_SCHEMA.TEST_TABLE}}, it will created as {{TEST_SCHEMA:TEST_TABLE}} HBase table is namespace mapping is enabled. View creation on this table would fail if permissions are granted to just {{TEST_SCHEMA}} and not on {{TEST_TABLE}}. It works correctly if same permissions are granted at table level too.
> FYI. [~ankit.singhal] [~twdsilva@gmail.com]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)